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REMARKS 

This is a full and timely response to the non-final Office Action mailed May 11, 2009. 
Reconsideration and allowance of the application and presently pending claims are respectfully 
requested. 

Telephone Conversation Status of Patent Application 

Examiner Schmidt is thanked for the telephone conversation conducted on July 23, 2009. 
Proposed claim amendments were discussed. Asserted art was discussed. It appears that the 
claim objection is overcome. It appears that the rejections under 35 U.S.C. § 1 12 are overcome. 
It appears that the rejections under 35 U.S.C. § 101 are overcome. 

Present Status of Patent Application 

Claims 1, 2, 6, 19, 20, 23, 28, 37-40, and 45-51 are now pending in the present 
application. Claims 1,19, 23, 50 and 51 are currently amended without introduction of new 
matter; claims 2 and 20 are original claims; claims 6, 28, 37-40, and 45-49 are previously 
presented; claims 3-5, 7-9, 12-14, 16-18, 21-22, 24-27, 29-36, and 42 are cancelled without 
prejudice, waiver, or disclaimer; and claims 10, 11, 15, 41, 43 and 44 have been withdrawn as a 
result of a restriction that has been imposed by the Examiner in the current Office action. 
Reconsideration and allowance of the application and presently pending claims are respectfully 
requested. 

Claim Objections 

Statement of the Objection 

Claim 51 objected to because of the following informalities: Claim 51 appears to be a 
run-on sentence and an incomplete claim. Appropriate correction is required. 
Response to the Objection 

Applicants respectfully submit that the reason for the objection may have possibly 
originated from misinterpreting the period mark (.) in the term ".setjmp" cited in the claim. In 
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this connection, attention is drawn to paragraph [0033] and others wherein a table titled a 
".setjmp table" has been described. 

Nonetheless, in an effort to reduce any potential ambiguities, Applicants have opted to 
amend the claim so as to omit the period mark. Consequently, the claim now includes a "setjmp 
table" that is used for storing valid target addresses associated with a "longjmp" runtime 
function. 

In view of the amendment described above, Applicants respectfully request withdrawal of 
the objection to pending claim 5 1 . 

Claim Rejections under 35 U.S.C. $112 
Statement of the Rejection 

Claims 1, 2, 6, 28, 37-40, 50-51 is rejected under 35 U.S.C. 112, second paragraph, as 
being indefinite for failing to particularly point out and distinctly claim the subject matter which 
applicant regards as the invention. 
Claim 1 

The examiner notes that "storing in a table, the list of valid target addresses as a reference list of 
valid target addresses" is indefinite. Where is this table stored? Is it in the object file or is in 
executable code or is it stored some where else (e.g. memory, etc). The examiner will interpret 
storing in a table of valid target addresses to be within an object file. 
Response to the Rejection 

Applicants respectfully disagree that claim 1 is indefinite, however, without prejudice or 
disclaimer, Applicants have opted to currently amend independent claim 1 in order to clarify that 
the table is part of an object file (as accurately interpreted by Examiner). 

Consequently, Applicants respectfully request that the rejection of claim 1 (as well as 
dependent claims 2, 6, 28, 37-40, 50-5 1) under 35 U.S.C. 1 12, be withdrawn. 
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Claim Rejections under 35 U.S.C. $101 
Statement of the Rejection 

Claims 1-2, 6, 28, 37-40 and 50-51 are rejected under 35 U.S.C. 101 s not falling within 
one of the four statutory categories of invention. 

Claims 19-20, 23, 45-49 are rejected under 35 U.S.C. 101 s not falling within one of the 
four statutory categories of invention. 

Response to the Rejection 
Claims 1-2, 6, 28, 37-40 and 50-51 

The Office action asserts on page 5: "The instant claims are neither positively tied to a 
particular machine that accomplishes the claimed method steps nor transform underlying subject 
matter, and therefore do not qualify as a statutory process." 

In response thereto, Applicants have amended independent claim 1 to indicate that the 
method steps cited in the claim are performed using computer-executable instructions that are 
stored in a computer-readable storage medium, and respectfully request that the rejection of 
claim 1 (as well as dependent claims 2, 6, 28, 37-40, 50-51) under 35 U.S.C. 101 be withdrawn. 

Claims 19-20, 23, and 45-49 

The Office action asserts on page 5: "Claims 19-20, 23, 45-49 are directed to "computer 
program products. " Generally, functional descriptive material, such as a computer program, is 
statutory when it is stored on a tangible computer readable medium.'" 

In response thereto, Applicants have amended independent claim 19 to indicate that the 
claim is directed to a computer system that includes a computer-readable storage medium for 
storing program modules. Applicants respectfully submit that the rejection of claim 19 under 35 
U.S.C. 101 has been overcome because the amendment now positively ties the claim to a 
computer system and a computer-readable storage medium. 

Consequently, Applicants respectfully request that the rejection of claim 19 (as well as 
dependent claims 20, 23, and 45-49) under 35 U.S.C. 101 be withdrawn. 

Page 10 of 17 



DOCKET NO.: MSFT-2568/307781.01 
Application No.: 10/750,297 
Office Action Dated: May 11, 2009 



PATENT 



Claim Rejections under 35 U.S.C. $103 
Statement of the Rejection 

Claims 1, 2, 6, 19, 23, 28, 37-40, and 45-51 are rejected under 35 U.S.C. 103(a), as best 
understood, as being unpatentable over Lueh (US 6,658,657 Bl) in view of and Kaufer et al. (US 
5,812,828) and Richarte, Gerardo. "Four different tricks to bypass Stackshield and StackGuard 
protection ". 

Response to the Rejection 

Claim 1 

Applicants respectfully traverse the rejection of this claim, for various reasons as 
explained below. Nonetheless, Applicants have opted to currently amend rejected independent 
claim 1 in order to move forward prosecution in the case. As amended, the claim now includes: 
"concluding that a first object file has no valid target addresses pertaining to runtime 
functionality, upon detecting: a) the presence of the identifier in the first object file, and b) the 
absence of a runtime section of code in the first object file" and further includes: "concluding 
that a second object file has a list of valid target addresses pertaining to runtime functionality, 
upon detecting: a) that the identifier in the second object file is present and has been asserted, 
and b) that a runtime section of code is present in the second object file. " Applicants respectfully 
submit that this aspect of the claim (which is described in Applicants' specification in various 
places such as in paragraphs [0036] and [0037] for example), is neither reasonably taught nor 
suggested by the cited references, individually or combinedly. 

The cited references also fail to teach or suggest other aspects of the claim, such as the 
"identifier" for example. In this context, Applicants respectfully draw attention to the fact that 
the Office action is very unclear in providing details for substantiating the rejection, and 
specifically makes several ambiguous and contradictory statements pertaining to Applicants' 
"identifier." 

To elaborate, attention is drawn to page 10 of the Office action, wherein it is asserted: "It 
would have been obvious to one of ordinary skill in the art at the time the invention was made to 
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modify the teachings of Lueh in view of Kaufer to include compiling code to produce executable 
code that is marked with an identifier indicating that the executable code supports runtime 
protection; receiving a call to a runtime function of the executable code for a runtime function; 
and if the target address is not found on the reference list of a valid target addresses then 
terminating execution of the executable code as taught by Richarte." (Emphasis added). 

Judging by this assertion, it would appear that Kaufer teaches "executable code that is 
marked with an identifier :" 

However, this assertion is contradicted on page 9 of the Office action wherein it is 
admitted that "Lueh in view of Kaufer fails to disclose code to produce executable code that is 
marked with an identifier indicating that the executable code supports runtime protection." 
(Emphasis added). 

This admission is in line with the statements pertaining to Lueh and/or Kaufer that are 
provided on pages 8-9 of the Office action. None of these statements identify where in either 
Lueh or Kaufer can be found Applicants' "identifier." To the contrary, it would appear from 
other statements on pages 9-10 of the Office action that Richarte is being relied upon as teaching 
a "canary" that is allegedly equivalent to Applicants' "identifier". 

If this is indeed the case, Applicants respectfully draw attention to remarks submitted in 
their previous response, which refutes this allegation. A pertinent portion of this previous 
response is reproduced below for easy reference: 



Attention is respectfully drawn to page 5 of the current Office action wherein it is alleged 
that the cited reference of Richarte discloses "executable code which is marked with a 
canary (e.g. identifier) for runtime protection.'" Applicants acknowledge that Richarte 
does indeed disclose runtime protection using a canary in the form of a constant 
"OxOOOaffOd" that is pushed into his stack. Protection against buffer overflow attacks is 
provided by checking to see if the value of the constant (the canary) has been changed as 
a result of an attack. Richarte describes this aspect in his pages 5-6 (under StackGuard 
protection) as follows: "A standard stack based buffer overflow attack would change the 
return address, and on its way will overwrite the canary, so, unless we write the right 
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value in the canary the check in the epilog will fail and abort the program." 

In contrast, Applicants' claim 1 is directed at using an identifier as a flag to 
indicate that runtime protection has been provided in a portion of executable code. In 
other words, unlike Richarte whose canary itself is used to check for attacks, the 
identifier of Applicants' claim 1 is not used directly to check for attacks. Instead, 
Applicants' identifier is used to indicate the presence of runtime protection (in the form 
of a valid target address located in an object code). 

Notwithstanding the fact (as explained above), that Richarte's "canary" does not 
reasonably teach or suggest Applicants' "identifier," Applicants have opted to amend claim 1 in 
order to eliminate any potential ambiguity in interpreting this aspect of the claim. As amended 
the claim now recites: "compiling source code files to produce a plurality of object files, each of 
which is marked with an identifier for indicating that executable code generated from each of the 
plurality of object files supports runtime protection .'''' Consequently, one of ordinary skill in the 
art can readily recognize the differences between the use of Applicants' identifier and Richarte's 
canary . 

In summary, Applicants respectfully submit that cited references, individually and/or 
combinedly, fail to teach or suggest various aspects of Applicants claim 1 , thereby making the 
claim allowable at least in currently amended form. Consequently, Applicants request 
withdrawal of the rejection followed by allowance of the claim. 

Claims 2, 6, 28, 37-40, 50 and 51 

Applicants respectfully traverse the rejection of these claims for various reasons. 

For example, in rejecting Applicants' claim 50 , the Office action makes the following 
assertion on page 15 of the Office action: "Lueh in view of Kaufer and Ricarte discloses the use 
of an linking executable code to object fields (see Kaufer, col. 3, lines 57 -col. 4, lines 42) and 
further an identifier that is 4 bytes Ions that indicates that the executable code implements 
runtime protections (see Ricarte, page 5) . 

Lueh in view of Kaufer and Ricarte fails to disclose wherein the identifier is a bit. The 
examiner notes it would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify the teachings of Lueh in view of Kaufer and Ricarte to modify the 
4 byte Ions identifier and desisn it to be a bit as a matter of desisn choice ." (Emphasis added). 
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With reference to the first portion that is emphasized above (i.e., "an identifier that is 4 
bytes long that indicates that the executable code implements runtime protections (see Ricarte, 
page 5/'), attention is drawn to Richarte's page 5, which teaches a 4 byte canary. As shown in 
his table, this canary corresponds to a constant value (OxOOOaffOd) that is described in his lines 
1-2 page 5, as follows: ". . . pushing a canary into the stack (for StackGuard v2.0.1 it's a constant 
OxOOOaffOd, latter (sic) we will see why)...'" ). A more detailed explanation of how a change in 
this constant value of the canary provides an indication of a stack based buffer overflow attack is 
provided in his pages 5-6. 

In contrast to Richarte's approach wherein a change in a constant value (the canary) is 
used to detect an attack, Applicants' identifier is used to provide an indication that the code 
supports runtime protection (i.e. the actual protection is carried out via "the runtime section of 
code" as cited in the claim, rather than the identifier itself). 

More importantly, it will be pertinent to point out that Richarte's canary is selected so as 
to thwart an attacker from guessing the constant value (Richarte describes this aspect in his page 
27 vis-a-vis his "random canary"). Consequently, it is illogical on the part of the Office action 
(page 15) to assert that it would have been obvious to modify Richarte's 4 byte code and design 
it as a 1-bit code , when this code is expressly designed to avoid detection by an attacker . One of 
ordinary skill in the art can recognize that a 1-bit implementation provides an insignificant level 
of encoding in comparison to codes containing a larger number of bits. Consequently, it will be 
illogical and counter-intuitive to reduce the number of bits from 4 to 1, rather than increase it to a 
number greater than 4. 

Also, it will be pertinent to point out to additional aspects of claim 50. For example, the 
claim further includes: "an identifier that is operable to be set for indicating. . ." This action of 
"setting" (asserting) the identifier is used to indicate the presence/absence of runtime protection 
in Applicants' code. 

As described in Applicants' paragraph [0036]: "Thus, setting this bit declares that a 
section in the object file comprises a list of valid target or return addresses for the executable 
code in that object." Furthermore, as indicated in Applicants' paragraph [0037]: "It is 
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contemplated that if the object file does not contain a .setjmp section, but the bit marking the 
object file is present, then the code in the object file has no longjmp target or setjmp return 
addresses." 

The above-mentioned aspects are also cited in amended claim 1 {^'concluding that a first 
object file. . ." and "concluding that a second object file. . ." etc.). 

In summary, Applicants respectfully submit that cited references, individually and/or 
combinedly, fail to teach or suggest various aspects of Applicants claim 50 (as well as claim 1) 
thereby making these claims allowable. 

Applicants further point out that each of dependent claims 2, 6, 28, 37-40, 50, and 51 are 
also allowable for at least the reason that these claims are dependent on allowable claim 1 . 
Consequently, Applicants respectfully request withdrawal of the rejection followed by allowance 
of these claims. 

Claim 19 

Applicants have opted to currently amend rejected independent claim 19 in order to move 
forward prosecution in the case. As amended, the claim now includes: "a compiler that compiles 
source code files to produce a plurality of object files, wherein each of the plurality of files is 
produced by the compiler with an identifier that operates as a marker which when placed in a set 
condition provides an indication that the object file contains a list of valid target addresses for 
use in implementing runtime protection .'" 

Certain remarks (pertaining to the identifier) made above in response to the rejection of 
claim 1 are equally pertinent to the rejection of claim 19 as well. However, in the interest of 
brevity these remarks will not be repeated herein. In short, Applicants respectfully submit that 
cited references, individually and/or combinedly, fail to teach or suggest various aspects of 
Applicants claim 19 thereby making the claim allowable at least in currently amended form. 
Consequently, Applicants request withdrawal of the rejection followed by allowance of the 
claim. 

Claims 23, and 45-51 

Applicants respectfully traverse the rejection of these claims for various reasons. 
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However, rather than elaborating upon these reasons, Applicants respectfully point out that 
claims 23, and 45-51 are allowable for at least the reasons that these claims are dependent on 
independent claim 19 that is allowable. Consequently, Applicants respectfully request 
withdrawal of the rejection followed by allowance of these claims. 

Cited Art Made of Record 

The cited art made of record has been considered, but is not believed to affect the 
patentability of the presently pending claims. 



Page 16 of 17 



DOCKET NO.: MSFT-2568/307781.01 
Application No.: 10/750,297 
Office Action Dated: May 11, 2009 



PATENT 



CONCLUSION 

Applicants respectfully submit that pending claims are allowable. Favorable 
reconsideration and allowance of the present application and all pending claims are hereby 
courteously requested. If, in the opinion of the Examiner, a telephonic conference would expedite 
the examination of this matter, the Examiner is invited to call the undersigned representative. 



Date: August 1 1 , 2009 /Joseph F. Oriti/ 

Joseph F. Oriti 
Registration No. 47,835 

Woodcock Washburn LLP 
Cira Centre 

2929 Arch Street, 12th Floor 
Philadelphia, PA 19104-2891 
Telephone: (215)568-3100 
Facsimile: (215) 568-3439 
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